“Humans … have only a limited ability to memorize complex, arbitrary secrets.”
Users and IT view cybersecurity as a speed bump – and no one looks forward to speed bumps.
The reputation is well-deserved when you consider that we (the cybersecurity team) tell users to create a unique password for each account to increase security. Then we incur ongoing costs for help desk staff to reset complex passwords because users forget them – or let them expire (due to fear of forgetting a new password that complies with complex password requirements).
NIST observed in publication 800-63B, “Humans … have only a limited ability to memorize complex, arbitrary secrets.” We are committed to strong security at the access point and if help desk intervention is required, we require complexity and tell Operations to budget for it. According to Gartner, 20 – 50% of help desk calls are for password reset – which is an expensive burden for any help desk.
In 2011, Forrester estimated that each call to the help desk for a password reset costs $70. Gartner pointed out that the cost to an organization is not just the pay for the helpdesk worker, but also the lost productivity -- they estimated the overcall cost for a password reset to range up to $130/reset. I’ll let you guess how much a password reset costs in today’s dollars.
Requiring users to call the help desk is a sub-optimal approach -- it increases IT costs, irritates the user, lowers their productivity and certainly isn’t going to increase the party invitations sent to cybersecurity team members.
And all this pain and expense for something which is not a core business for the enterprise.
Reduce password management pain and the risk of a breach
You may have read NIST 800-63B, so you know “Many attacks associated with the use of passwords are not affected by password complexity and length. Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones…the benefit of (complex) rules is not nearly as significant as initially thought although the impact on usability and memorability is severe.”
If complex passwords are not a guaranteed solution, are they worth the Operations cost, and the decrease in productivity and user experience? It depends on what you can use as alternatives for security at the access point.
You may be able to start shifting your users away from passwords by embarking on the passwordless authentication journey. You can be a true passwordless enterprise by the end of this journey, but until then you will have to manage passwords. While your IT team focuses on creating a secure enterprise landscape by going passwordless, you can significantly reduce your password management pain with our Password Self-Service feature which is available with Thales SafeNet Trusted Access (STA).
Alternatively, if your organization is not ready to move on from passwords, Password Self-Service can be used on an ongoing basis to decrease the password management pain for you and your users.
STA is an access management and authentication service supporting Single Sign On (SSO), adaptive authentication and a broad range of Multi Factor Authentication (MFA) methods and form factors. SSO increases convenience for users and reduces calls to the help desk by reducing the number of passwords your users need to remember. Adaptive authentication and MFA reduce the possibility of a breach by augmenting vulnerable passwords with stronger forms of identity validation. Rule- and risk-based access policies optimize convenience and identity protection by enforcing the right level of authentication and monitoring the level of risk, on an as-need basis. Password Self-service is present, if needed, to reduce the burden on the help desk and give users a secure DIY solution.
Our authentication methods leverage MFA/2FA, and include Password Self-service, and many options for passwordless authentication. We offer workshops to discover your user types and authentication needs so that you can determine how a strategic investment in security at the access point can dramatically reduce the burden on the help desk (eliminating 20 – 50% of the calls, according to Gartner).
Empower your users with a DIY feature
When accessing STA protected web applications, the Password Self-service feature empowers users to independently reset their active directory/domain password if they have forgotten it or change the password if it has expired.
Users can rely on existing STA authentication methods to securely authenticate, reset or change their passwords. One authentication method handles all three situations. For example, if an enterprise landscape does not allow use of mobile phones, users can interact with a pattern-based authentication method to authenticate, reset or change their password.
Organizations can enable Password Self-service for one group or multiple groups of users, and implement the feature enterprise-wide in phases.
To give organizations full control to manage users and passwords, the solution is deployed within the customer premises. Customers can restrict end users to change/reset their password only when on prem or it can be allowed at the VPN level to include remote users.
Without the need for training, end users can operate Password Self-service in their preferred language as an intuitive easy-to-use feature – and the Helpdesk agents and IT can focus on higher-priority issues. Decreasing the burden on the Helpdesk, reducing Operations cost and the likelihood of a security breach, while improving user experience, can go a long way in changing the cybersecurity team’s reputation from speed bump to critical and essential team members.